How to deal with a “Hacked” Windows computer
Charles Duncan
SVP of Information Technology | Specialized Honours in Computer Science | MCSE | CCNA | Linux | ITIL | GCP | POS
As a computer consultant or IT Manager you will encounter many instances of dealing with a “hacked” computer (or a suspected “hacked” computer.) If it is proven that the computer has been “hacked” or acting suspiciously, I generally recommend that the client rebuild the computer. The amount of work to clean the computer is extensive and a highly skilled process. Most clients are unaware of the amount of labor required to clean a computer.
In most cases, the client will still opt for the cleaning, and that is when I need to inform them of the many steps required to carry out the request of cleaning their computer(s).
Step 1: prepare for the cleaning of the computer by:
- Kill all non-essential processes using rkill. TDSSKiller and ProcessKiller.
- Run McAfee Stinger
- Do a FULL registry backup
- Do a full WMI repair
- Do a sysrestore clean
- Do a VSS set purge (Microsoft Volume Shadow Copy Service (VSS) snapshots) of the oldest set
- Create a system restore point
- Do a full SMART disk check (all disks)
- Set system time via NTP time
Congratulations, step one is complete, only 8 more steps to go!!
Step 2: Temp File Clean
- Clean the computer by running Tempclean: TempFileCleanup, CCLeaner, and BleachBit
- Backup & clear event logs
- Do a full Windows Update cache cleanup,
- Do a full Internet Explorer cleanup
- Do a full USB device cleanup
Step 3: DeBloat
- Remove all OEM bloatware
Step 4: DisInfect
- Run Kaspersky Virus Removal Tool
- Run Sophos Virus Removal Tool
- Run Malwarebytes
- Do a full DISM image check (Win8/2012 only)
Step 5: Repair
- Do a full Registry permissions reset
- Do a Filesystem permissions reset
- Do a full SFC /scannow, SFC = Microsoft System File Checker
- Do a chkdsk (if necessary) on all drives
Step 6: Patch
- Update all Windows Software (7-Zip, Java, and Adobe Flash/Reader, etc.)
- Upgrade all of Windows Operating System
Step 7 Optimize:
- Do a page file reset
- defrag %SystemDrive% (usually C: and not required drive is an SSD)
Step 8 Wrap-up:
- Create and send a job completion report
Step 9 Manual stuff:
- Do a full rook kit scan (PCHunter)
- Do a full Adware scan (AdwCleaner, ComboFix, Junkware Removal Tool)
- Repair/relink all Services (ServicesRepair)
- MBR review (Master Boot Record) and a review of all startup commands
This is a good reasonable start and should clean/optimize the majority of cases encountered. One caveat is that I would recommend doing a FULL drive image backup of your client’s PC before starting. This is a lot of work and you will need a high level of skill to review any errors encountered and then take appropriate actions.
Now, what would say if I told you that you could automate the majority of these steps and processes?
The Reddit community (r/TronScript) has maintained an automated scripting tool to do all of the above steps and more.
This is an integral collection of tools for anyone to keep on a USB flash drive (<700MB) and will prove extremely effective to repair and rid the most common issues that are making a windows computer perform poorly. It is not a quick fix so expect to spend a little time using it, but your client's machine is worth it!
Charles Duncan is a Veteran IT Consultant who founded Crown Computing Incorporated and managed Micro Services for York University. Charles has extensive experience in Linux, Apple, Windows, and Networking with a Bachelor of Science in Computer Science, and is also MCSE, and CCNA certified. Connect with Charles on LinkedIn and Facebook.